All In The Family, But No Security Exceptions

Fixing an Android security problem is no easy task, according to technology columnist Sean Doherty.

I recently offered legal services to my brother. His first question did not go to my experience in handling his matter but what I used for security on my PC and mobile device. I had an “antivirus” answer for the PC but fell short on smartphone security. I told my brother I ran Google Android 5 aka Lollipop and enabled automatic updates, but it hardly mollified my seemingly insecure position.

Perhaps “Lollipop” didn’t quite capture the notion of a secure mobile operating system; or without antivirus software, perhaps the Android device presented an inexplicable and perhaps unjustifiable security hole. A hole that several researchers from the University of Cambridge recently drove a truck through.

A recent study from Cambridge showed that 87 percent of Android devices are vulnerable to attack by malicious apps and messages. The study laid blame on the manufacturers because most do not provide regular security updates, albeit some manufacturers, such as Google’s Nexus, LG and Motorola, provide more security updates than others, namely Samsung, Sony and HTC. The study admitted that all large software companies first uncover security risks then release software updates to mitigate them. Security performance largely becomes a matter of speeding patches to the public. For more information on manufacturers’ security performance for Android, see androidvulnerabilities.org.

The Cambridge study recommends installing apps only from the Google Play Store because Google performs additional safety checks on apps. But in the draft paper “The Lifetime of Android API (Application Programming Interface) Vulnerabilities: Case Study on the JavaScript-to-Java Interface,” the same Cambridge researchers who drove a truck through my S5 described how the complexity of the Android developer ecosystem exacerbates security problems.

The Android ecosystem is a “complex network of competing and collaborating companies,” according to the paper. Fixing an Android security problem is no easy task. It can require collaboration among open source developers, device manufacturers, network operators and users, who need to approve device updates. Besides Google developers, there are more than 170 open source projects whose code is used in the Android platform, and many manufacturers and network operators further customize Android for their brand of devices and networks.

If the above is not enough for you to run as fast as you can from an Android device, let’s dig into the draft paper’s focus: Application Programming Interface (API) vulnerabilities from a JavaScript-to-Java (JS2J) interface.

Prior to version 4.2, the Android operating system allowed convenient JS2J interaction between its WebView and a hosting app. The convenience, however, opened security vulnerability CVE-2012-6636, which can remotely run malicious code in an app to ultimately gain root privileges on Android devices. Once an attacker has rooted an Android device, he or she can use Internet Control Messaging Protocol (ICMP) to reroute local traffic through the device and inject malicious JavaScript into an HTTP traffic, creating an Android worm.

Sponsored

Recent changes to the operating system prevent the vulnerability if the phone is running Android version 4.2 or greater and if the app has been compiled with a newer Android framework (API level 17 or above). Although vulnerability CVE-2012-6636 was identified in October 2012, Cambridge researchers estimate that the fix will not be universal until 2018. Why? Older Android devices continue to use outdated operating systems and API versions and not all users enable automatic updates. Surprise!

Short of ditching Android, I may pin my hopes on the forthcoming BlackBerry PRIV. The PRIV will run on Android and support a slide-out BlackBerry keyboard and “streamlined communications,” which I hope means the BlackBerry Hub will somehow remain intact. The PRIV promises BlackBerry security and introduces DTECK, a BlackBerry “warning system app” that protects privacy. BlackBerry also promises to open the PRIV to Google Play Store apps.

I hope the Canadian company provides a Play Store filter for BlackBerry-approved apps, else I am back to where I started with that hole in my S5. And I can hear that Cambridge truck shift into reverse.

(Disclosure: The author owns a Samsung S5 running Android 5 Lollipop.)


Sponsored

Attorney Sean Doherty has been following enterprise and legal technology for more than 15 years as a former senior technology editor for UBM Tech (formerly CMP Media) and former technology editor for Law.com and ALM Media. Sean analyzes and reviews technology products and services for lawyers, law firms, and corporate legal departments. Contact him via email at sean@laroque-doherty.net and follow him on Twitter: @SeanD0herty.

CRM Banner